Clicky

To secure printers think process, technology and people

For all discussions and good intentions of the paperless office, To press remains an integral part of daily life. It seems likely – at least for the foreseeable future – that there will always be some business need for printed and scanned documents, which leads to that Multifunction printer (MFPs) that are essential for most organizations.

But while the environmental impact of printing is clearly defined, security risks are discussed much less often.

To some extent, solving the problem is as simple as applying general good principles for document security, such as: B. Ensure that no one can see them after they have been printed.

However, since printers are essentially a set of IT assets connected to the corporate network – through which huge amounts of often sensitive data are transferred – they must be viewed as another vulnerable endpoint in the IT infrastructure. And this vulnerability is exacerbated by the Plug and Play many MFPs, which means they require very little setup and can be used anywhere on the network. On the physical side, they’re usually in easily accessible locations in the company, with obvious implications.

In order to minimize the risks posed by printers to an acceptable level, a company must develop a strategy that focuses on processes, technology and people.

Review process

The first step is to fully assess the business needs. Why do people need to print documents? Which ones do you need to print? What risks is the organization exposed to as a result?

This understanding enables the development of the various scenarios that are likely to occur and then a process for securing the print life cycle of the document.

Cybersecurity and physical or corporate security teams need to come together to ensure that everything is considered and that both units have the ability and ability to support and audit the processes being developed.

When digital information moves into the physical realm, a lack of clarity about who is responsible for issues that arise can lead to conflicting rules across teams – and ultimately to practices that are inconsistent with the company’s risk tolerance.

The process level should not only reflect the company’s willingness to take risks, but also take into account that putting in place too many controls could ultimately affect operations by making them excessively burdensome.

Tackle the technology

Like any other endpoint on the network, printers need to be properly configured and secured so that users can have the technology they need to do their jobs without taking any risks. As with the process phase, the exact actions you take will depend on the company’s risk appetite, but the following security controls should be high on your consideration list:

  • Register each printer in the asset register and Configuration management database (CMDB).
  • Include printers in the patching and vulnerability management process.
  • Use endpoint detection and response tools to monitor printers and incorporate them into overall monitoring, flagging indicators of threats (IoCs) and reviewing relevant data by analysts to determine the impact on the entire corporate network. Encrypt print and scan jobs as they move across the network and rest on the printer itself, with the level of encryption determined by the classification of the data being transferred.
  • Apply uniform rules to all IT assets; if USB devices cannot be connected to other end devices, for example, this also applies to printers.
  • Use one printer type and model across the enterprise so that a security standard can be established.
  • Customize the physical security of each printer based on its location and users.
  • Limit the use of non-standard printers; For example, only HR should be able to print paychecks, while stationery printers should be accessible to managers and no one else.
  • Place all printing devices on a dedicated one virtual LAN (VLAN) to ensure that they are firmly connected to the network; Print data is separated from public and private Internet traffic, and only devices with access to the respective VLAN can use the printers.
  • Have clear processes (and equipment) for disposing of paper documents.
  • Link print actions to document properties; those classified as confidential or higher, for example, cannot be printed.
  • Adopt FollowMe printing, which enables a shared print queue where individual jobs can only be accessed and approved through user authentication with a token or passcode (or both if two-factor authentication is required). Tech can help users help themselves (and ultimately the security of the organization).
  • Turn off unnecessary MFP features and services. For example, faxing can be used in one location but redundant elsewhere in the company, while not every printer requires a web interface or wireless connection (in particular, wireless connections that allow everyone to connect and print should be subordinated to the spotlight).
  • Include scanned documents, which may contain sensitive personally identifiable information (PII) such as passport details, in the document processing process. Policies need to cover where they are stored, who has access to them, and whether they need to be encrypted when they are sent via email.

Training of workers

As with most elements of cybersecurity well-trained employees and a constructive safety culture can limit much of an organization’s printer-related risk.

With regard to education, processes need to be explained and understood across the organization; They should also be stepped up over time to verify that the user callbacks are correct and that the most current versions of the processes are being followed.

Much of this is straightforward, such as teaching people how to use printouts properly and why it matters – whether it’s making sure they’ve collected documents from the printer or having a confidential trash can / shredder close to the Have a printer and train people to use it. Even if passwords are used to protect secret documents from unattended printing, the passwords must be strong.

In the longer term, it is critical to develop a culture where everyone embodies good security behavior, follows security processes rather than circumventing them, and immediately reports process violations so that investigations and remedial action can be initiated.

Positive reinforcement is a helpful technique; It should encourage people to break away from the often held view that security is an obstacle to their work and instead focus on understanding the importance of their role in good security operations. Real life stories of the impact should the processes fail or not be followed can be useful as long as they are relevant and realistic so that they are not viewed as scare tactics.

The post-pandemic office

The The Covid-19 climate has raised questions that span all three elements of the process, technology and people triangle. How can employers provide their teams with the process and technology to print securely at home and ensure that users are following required safety behaviors (such as making sure that confidential materials printed at home are not accidentally accessed by other household members is used) ?

Can employees connect to local printers that they have purchased themselves, which can expose the corporate network to tremendous additional risk? Can people shred documents with shredders at home?

Even if pressure safety strategies are in place, many were developed before the pandemic and are therefore ripe for review. These questions, along with various other factors, make sense, especially with regard to the potentially permanent change in jobs, as the number of people who work from home, at least temporarily, is likely to remain significant.

Printer security may not come to mind at first, but it is a key element in the processing of data and should therefore be treated with the same care and attention that is given to other IT assets.

-